Vulnerability CVE-2007-4124


Published: 2007-08-01   Modified: 2012-02-12

Description:
The session failover function in Cosminexus Component Container in Cosminexus 6, 6.7, and 7 before 20070731, as used in multiple Hitachi products, can use session data for the wrong user under unspecified conditions, which might allow remote authenticated users to obtain sensitive information, corrupt another user's session data, and possibly gain privileges.

Vendor: Hitachi
Product: Cosminexus application server 
Version: 6;
Product: Cosminexus developer 
Version: 6;
Product: Electronic form workflow 
Product: Ucosminexus service architect 
Product: Ucosminexus application server 
Product: Ucosminexus developer 
Product: Cosminexus opentp1 web front-end set 
Product: Ucosminexus opentp1 web front-end set 
Product: Groupmax collaboration portal 
Product: Cosminexus collaboration portal 
Product: Ucosminexus service platform 
Product: Ucosminexus collaboration portal 
Product: Cosminexus erp integrator 
Product: Ucosminexus erp integrator 

CVSS2 => (AV:N/AC:M/Au:S/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.9/10
4.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None

 References:
http://www.hitachi-support.com/security_e/vuls_e/HS07-024_e/index-e.html
http://www.vupen.com/english/advisories/2007/2725
http://secunia.com/advisories/26250
http://osvdb.org/37852
http://xforce.iss.net/xforce/xfdb/35706
http://www.securityfocus.com/bid/25145

Related CVE
CVE-2018-14735
An Information Exposure issue was discovered in Hitachi Command Suite 8.5.3. A remote attacker may be able to exploit a flaw in the permission of messaging that may allow for information exposure via a crafted message.
CVE-2017-9298
Cross-site scripting vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to execute arbitrary JavaScript code.
CVE-2017-9294
RMI vulnerability in Hitachi Device Manager before 8.5.2-01 allows remote attackers to execute internal commands without authentication via RMI ports.
CVE-2017-9295
XXE vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to read arbitrary files.
CVE-2017-9296
Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Tuning Manager before 8.5.2-00 allows remote attackers to redirect authenticated users to arbitrary web sites.
CVE-2017-9297
Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 allows remote attackers to redirect users to arbitrary web sites.
CVE-2015-1565
Cross-site scripting (XSS) vulnerability in the online help in Hitachi Device Manager, Tiered Storage Manager, Replication Manager, and Global Link Manager before 8.1.2-00, and Compute Systems Manager before 7.6.1-08 and 8.x before 8.1.2-00, as used ...
CVE-2014-4189
Cross-site scripting (XSS) vulnerability in Hitachi Tuning Manager before 7.6.1-06 and 8.x before 8.0.0-04 and JP1/Performance Management - Manager Web Option 07-00 through 07-54 allows remote attackers to inject arbitrary web script or HTML via unsp...

Copyright 2019, cxsecurity.com

 

Back to Top